Search code examples
dockeralpine-linux

How to change ownership in docker image during build?


1. FROM node:16.17-alpine
2. 
3. RUN addgroup app && adduser -S -G app app
4. USER app
5. 
6. WORKDIR /app
7. COPY . .

I then run: docker build -t mytest .

[+] Building 3.3s (9/9) FINISHED
 => [internal] load build definition from Dockerfile                                                                                                0.1s
 => => transferring dockerfile: 313B                                                                                                                0.0s
 => [internal] load .dockerignore                                                                                                                   0.0s
 => => transferring context: 34B                                                                                                                    0.0s
 => [internal] load metadata for docker.io/library/node:16.17-alpine                                                                                3.0s
 => [1/4] FROM docker.io/library/node:16.17-alpine@sha256:4d68856f48be7c73cd83ba8af3b6bae98f4679e14d1ff49e164625ae8831533a                          0.0s
 => [internal] load build context                                                                                                                   0.0s
 => => transferring context: 40.15kB                                                                                                                0.0s
 => CACHED [2/4] RUN addgroup app && adduser -S -G app app                                                                                          0.0s
 => CACHED [3/4] WORKDIR /app                                                                                                                       0.0s
 => [4/4] COPY . .                                                                                                                                  0.0s
 => exporting to image                                                                                                                              0.1s
 => => exporting layers                                                                                                                             0.0s
 => => writing image sha256:aaeb83b6fde7be16f0c9a80d7f9a5af868a08ad603269051014716a32ca8f54c                                                        0.0s 
 => => naming to docker.io/library/mytest                                                                                                           0.0s

Now when I run it on a container: docker run -it mytest sh and confirming I'm app (user).

/app $ whoami
app

Running ls -l command to view the content inside with their permission

/app $ ls -l
total 52
-rwxr-xr-x    1 root     root           274 Oct 11 06:22 Dockerfile
-rwxr-xr-x    1 root     root           309 Oct 10 12:47 index.js
-rwxr-xr-x    1 root     root         39685 Oct 11 06:37 package-lock.json
-rwxr-xr-x    1 root     root           211 Oct 10 13:45 package.json

the owner is root, but in my Dockerfile, line 3. I created a usergroup and user before running the copy command. I also set user to app on line 4. But why is the owner of the copied content is root but not app?

When I create a new file hello.ts there, the owner is now app

/app $ touch hello.ts
/app $ ls -l
total 52
-rwxr-xr-x    1 root     root           274 Oct 11 06:22 Dockerfile
-rw-r--r--    1 app      app              0 Oct 11 06:42 hello.ts
-rwxr-xr-x    1 root     root           309 Oct 10 12:47 index.js
-rwxr-xr-x    1 root     root         39685 Oct 11 06:37 package-lock.json
-rwxr-xr-x    1 root     root           211 Oct 10 13:45 package.json
/app $ 

How to set the user in build?


Solution

  • You need to change the owner for the COPY instruction as it run as admin unless specified otherwise.

    COPY --chown=app:app . .